SAST Tool Configuration and Tuning

A structured, repeatable process for reviewing and tuning Static Application Security Testing (SAST) tool configurations against OWASP ASVS 4.0.3 verification requirements and the CWE Top 25 Most Dangerous Software Weaknesses. This skill covers Semgrep rule authoring, CodeQL query patterns, severity tuning, false positive management, custom rule development, and CI integration. All findings map to ASVS controls and CWE identifiers.

When to Use

If a target is provided via arguments, focus the review on: $ARGUMENTS

• Initial SAST deployment to establish baseline rule configuration.
• Periodic SAST tuning reviews to reduce false positive rates.
• Custom rule development for organization-specific vulnerability patterns.
• CI/CD integration review for SAST gate enforcement.
• Post-incident rule gap analysis (a vulnerability was missed -- why?).
• ASVS compliance mapping to verify SAST coverage against verification requirements.